Reporting security issues

Keeping customer data safe and secure is a huge responsibility and our top priority. We work hard to protect against the latest threats, so your input and feedback on our security is always appreciated.

Security researchers

We are happy to work with security researchers, you're an important part of keeping the internet a safe place to work. If you discover a flaw in our security that could impact Timetastic or our customers then please let us know by contacting our support team.

The following security issues are currently not in scope (please don’t report them):

• Volumetric vulnerabilities (i.e. simply overwhelming our service with a high volume of requests)
• TLS configuration weaknesses (e.g. "weak" ciphersuite support, TLS1.0 support, sweet32 etc.)
• Reports of non-exploitable vulnerabilities.
• Reports indicating that our services do not fully align with "best practice" e.g. missing security headers (CSP, x-frame-options, x-prevent-xss etc) or suboptimal email related configuration (SPF, DMARC etc)

Dealing with security reports

We read all reports and will get back to you as soon as we can, usually within 24 hours.

We’ll investigate the issue and determine how it impacts Timetastic. We won’t disclose issues until our investigation is finished, but we’ll work with you to ensure we fully understand the issue.

Once the issue is resolved, we’ll post a security update on our changelog and, if you wish, a thanks and credit for the discovery.